Nowadays data-driven products in the cloud are delivered faster, IT resources become more responsive and productive with lower costs and higher performance for data operations. Causing Cyber Security risks involved in accessing sensitive data and regulatory compliance requirements.

1. Join Us:
https://www.linkedin.com/compa
ny/application-security-virtual-
meetups
QR Link:

2. Trending Actual Cloud Attacks - Eliminate the
noise
Alex Geleg

3. Trending
Actual
Cloud
Attacks
Eliminate the noise
@alexpeleg
alex@cynergy.app

5. Exploiting
exposed cloud
instances

6. Attack Flow
Attacker’s
Machine
Vulnerable
Cloud Hosted
Website
Cloud
Instance/Pod
Internal
Infrastructure
Roles and
Permissions

7. Impact
• Reputation
• Disruption of Service
• Leakage of sensitive data
• Regulatory fines

8. Mitigation
Access to internal services
Restrict
Continuously for web and infrastructure vulnerabilities
Scan
Privileges and Roles
Control

9. Access to
Sensitive Data

10. Attack Flow
Attacker’s
Machine
Organization
GitHub
Cloud
accounts and
resources
S3 buckets and Blobs
Website Source Code
API-Keys
And Secret keys

11. Impact
• Financial damage from key abuse
• Infrastructure access and takeover
• Sensitive data leakage

12. Mitigation
Git, Web Applications and Exposed Storage
Scan
Developers not to store cleartext keys
Train
Control Privileges
Control

13. Poor Identity
protection

14. Attack Flow
Attacker’s
Machine
Compromised
Credentials
Accounts and
resources
Cloud Identity

15. Impact
• Lack of detection
• Long time organization assets abuse
• Cloud Account takeover

16. Mitigation
a strong and long Password Policy
Maintain
Multi Factor Authentication (MFA)
Enable
Inactive Identities and empty groups
Delete
Access Keys
Rotate

17. Thank
You!
@alexpeleg
alex@cynergy.app

18. Reducing Operational Costs by Automating
Data Security
Ben Herzberg

19. January 2023
© 2023 Satori Inc. All rights reserved.
Reducing Operational
Costs by Automating
Data Security

20. 20
About Me
@KernelXSS
https://www.linkedin.com/in/sysadmin
ben@satoricyber.com
● Co-author of “Snowflake
Security” (Apress)
● A DataSecOps Guy
● Chief Scientist, Satori
● Now also VPM :)
● Formerly:
○ Head of Research
(Imperva)
○ CTO (Cynet)

21. 21
Agenda
● Data & Data Security
● DataSecOps
● Why Automate? And Why Now?
● What & How Do You Automate?
● Examples
● Q&A

22. Intro: Data and
Data Security

23. 23
*Source: Statista, 7 June 2021 .

24. 24
Default To Know
Need To Know
Need To Share

25. 25
Everybody
wants
value from
data

26. 26
Data Teams
Data-Driven Value

27. 27
Data
is getting
hard to
control

28. 28
More
risks
around
data
Compliance
Security
Privacy
Operational

29. DataSecOps

30. 30
Learning From DevOps

31. 31
DevOops
DevOps as a team, not as a mindset
Misconfigurations and Change
Management
Cost of security-as-a-patch can be high
Security has to be bolted into the process!

32. 32
From DevOps to DevSecOps
● Shift-left
● Incremental changes
● Automation
● Security is embedded into the
process
Source: https://meming.world

33. 33
So… What’s DataSecOps?
An agile, holistic, security-embedded approach to
coordination of the ever-changing data and its users,
aimed at delivering quick data-to-value, while keeping
data private, safe and well-governed.

34. 34
DataSecOps Principles
● Security as continuous part of their data operations,
not an afterthought
● Ad-hoc continuous
● Separation of environments, testing & automation
● Prioritization is key - mostly sensitive data
● Data is clearly owned
● Simplified & deterministic data access

35. 35
DataSecOps
Data-Driven Value

36. 36
Would you do Manual DevSecOps?

37. Why Automate?

38. We are a billion dollar company but
anyone can run a SQL query and
get a million email addresses.
VP Data Engineering, SaaS Company
‫״‬ I have an army of people creating
users, roles and views. By the time
they are done, it's already outdated.
CDO, Financial Services Company
‫״‬
Security vs. Productivity

39. We all know…
29% loss of revenue due
to Data Breach.

40. But this is AS IMPORTANT…
Between 60% and 85% of
data projects fail.
DevOps + Data
engineering teams
experience 20%-30% loss
of productivity.

41. Or looking at it from another perspective…
62% says security & compliance
slows down data projects
71%-79% Of Data Leaders
Deal with PII

42. Automated Compliance
Always know
where data is, who has
access to it, what are
they doing with it
Tight Security
User can only access
data they need when
they need it
Productivity
Central governance,
distributed operations
with no restrictions on
data architecture
Key benefits of Just-in-Time Automated Access

43. Why (especially)
Now?

45. What & How To
Automate

46. 46
What To Automate?
● Whatever:
○ has the most effect on security & compliance
○ is taking its toll
● Meaning:
○ Log processing
○ Data access (Authentication & Authorization)
○ Security policies

47. 47
The Challenge
● Security teams are in charge of security
● Data is (usually) a black box

48. 48
The Journey to Access Automation
Level 1 Level 2 Level 3
Data Access Model Ad-hoc Access Basic Access
Management
Just-in-Time Access
Provisioning Employees get access
upfront when they join or
ad-hoc when requested.
Basic RBAC framework. Employees get access
Just-in-Time based on
business needs.
Permissions Persistence 100% High 90% Based on business needs
(~20%)
Automation Fully manual Role provisioning
Some policies
Fully automated
Typical Time 1-3 months 6-9 months 12-18 months

49. 49
How?
● DIY
● Orchestration
● Data Security Platform 😸

50. Some Automation
Results

51. 51
DevOps: Access To Production
● Productivity was NOT top concern.
● 25% of DevOps time was spent on granting/revoking
permissions, etc.
● Moving to JIT → several headcounts are now working on
MEANINGFUL things.
● Factors: # data users, grant time, revoke time,
monitoring time, pager duties

52. 52
Data Engineers: DWH
● Project initiated by the data team (DIY)
● Tale chasing:
○ Masking, RLS
○ Managing RBAC, ABAC
○ Moving targets
● # data users, time to set policies which gets longer,
roles management/explosion

53. Conclusion

54. 54
Takeaways
● It’s 2023
● Got data? users? congrats, you need to automate.
● Choose how!

55. 55
Thanks! (+Questions)
@KernelXSS
https://www.linkedin.com/in/sysadmin
ben@satoricyber.com
Keep in touch!
Read More
satoricyber.com
blog.satoricyber.com

56. Keep your BigQuery data encrypted
Ran Tibi

57. Keep your BigQuery
data encrypted
Ran Tibi

58. 58

59. 59
Application
BigQuery

60. 60
Application
BigQuery
GCS

61. 61
Application
BigQuery
GCS
PubSub Dataflow

62. 62
{"id": "1", "email": "ran@example.com"}
{"id": "2", "email": "rose@example.com"}
{"id": "3", "email": "fox@example.com"}
{"id": "4", "email": "pilot@example.com"}
users.json

63. 63

64. 64
Application
BigQuery
GCS
PubSub Dataflow

65. 65
Application
BigQuery
GCS
PubSub Dataflow
Encryption in transit
SSL
SSL
SSL
SSL
SSL
SSL
SSL

66. 66
Application
BigQuery
GCS
PubSub Dataflow
Encryption in transit
Encryption at rest
SSL
SSL
SSL
SSL
SSL
SSL
SSL

67. 67

68. 68
Application
BigQuery
GCS
PubSub Dataflow
Encryption in transit
Encryption at rest
Application layer
encryption
SSL
SSL
SSL
SSL
SSL
SSL
SSL

69. 69

70. SELECT email,
DECRYPT(email) decrypted_email
FROM `app.users_encrypted`
70

71. AEAD Functions
Authenticated Encryption with Associated Data
● Encrypt
● Decrypt
● Create keyset
● …
71

72. 72
DECLARE keyset BYTES;
set keyset = from_base64('CKeEwo...MOqyAB');
select
email,
DETERMINISTIC_DECRYPT_STRING(keyset, email, "") AS decrypted_email
FROM `aead-poc.app.users_encrypted`;

73. 73
DECLARE keyset BYTES;
set keyset = from_base64('CKeEwo...MOqyAB');
select
email,
DETERMINISTIC_DECRYPT_STRING(keyset, email, "") AS decrypted_email
FROM `aead-poc.app.users_encrypted`;

74. 74
But…
DECLARE keyset BYTES;
set keyset = from_base64('CKeEwo...MOqyAB');
select
email,
DETERMINISTIC_DECRYPT_STRING(keyset, email, "") AS decrypted_email
FROM `aead-poc.app.users_encrypted`;

75. 75
DEK
Data Encryption Key
KEK
Key Encryption Key
Symmetric
Encryption
Wrapper
Encrypted DEK

76. Data encryption / decryption process
76
76
DEK
KEK
Symmetric
Decryption
Wrapper
Encryption
Algorithm
Sensitive
message
Encrypted
message
Encryption
Decryption

77. Google KMS
✔ Create key
✔ Encrypt / Decrypt
✘ Export key
77

78. 78
DEK Wrapper
Encrypted DEK
KEK
Google
KMS
encrypt

79. Runtime encryption process using KMS
79
79
DEK
KEK
Application
Wrapper
Encryption
Algorithm
Sensitive
message
Encrypted
message
Encryption
Decryption
Google
KMS
decrypt

80. 80
gcloud kms keyrings create poc-keyring
--location us-central1
gcloud kms keys create kek
--keyring poc-keyring
--location us-central1
--purpose "encryption"
Create KEK in KMS

81. 81
SET kms_resource_name = 'gcp-kms://projects/aead-
poc/locations/us-central1/keyRings/poc-
keyring/cryptoKeys/kek';
SELECT KEYS.NEW_WRAPPED_KEYSET(
kms_resource_name,
'DETERMINISTIC_AEAD_AES_SIV_CMAC_256')
Generate wrapper

82. 82
CJ6fqK4GEmQKWAowdHlwZS5nb29nbGVhcGlzL
mNvbS9nb29nbGUuY3J5cHRvLnRpbmsuQWVzR2
NtS2V5EiIaIOpnR2FJQUAwmaCGcBBUxAmw7HD
UOGP//YAe3PkJ5AeEGAEQARien6iuBiAB

83. On-demand decrypt in BigQuery
83
SET KMS_RESOURCE_NAME = 'gcp-kms://projects/aead-
poc/locations/us-central1/keyRings/poc-
keyring/cryptoKeys/kek';
SET WRAPPER =
FROM_BASE64("CiQA14LE......................brY9fZ3U=");
SELECT
email,
DETERMINISTIC_DECRYPT_STRING(
KEYS.KEYSET_CHAIN(KMS_RESOURCE_NAME, WRAPPER),
email, "") decrypted_email
FROM `aead-poc.app.users_encrypted`

84. On-demand decrypt in BigQuery
84
SET KMS_RESOURCE_NAME = 'gcp-kms://projects/aead-
poc/locations/us-central1/keyRings/poc-
keyring/cryptoKeys/kek';
SET WRAPPER =
FROM_BASE64("CiQA14LE......................brY9fZ3U=");
SELECT
email,
DETERMINISTIC_DECRYPT_STRING(
KEYS.KEYSET_CHAIN(KMS_RESOURCE_NAME, WRAPPER),
email, "") decrypted_email
FROM `aead-poc.app.users_encrypted`

85. On-demand decrypt in BigQuery
85
CREATE OR REPLACE FUNCTION `aead-poc.app.decrypt`(encodedText bytes)
RETURNS STRING AS (
DETERMINISTIC_DECRYPT_STRING(
KEYS.KEYSET_CHAIN('gcp-kms://projects/aead-
poc/locations/us-central1/keyRings/poc-
keyring/cryptoKeys/kek',
b'004324........003'),
encodedText, "")
);

86. SELECT email,
`aead-poc.app.decrypt`(email) decrypted_email
FROM `app.users_encrypted`
86

87. IAM
roles/cloudkms.cryptoKeyEncrypterDecrypter
VS
roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation
87

88. IAM
roles/cloudkms.cryptoKeyEncrypterDecrypter
VS
roles/cloudkms.cryptoKeyEncrypterDecrypterViaDelegation
88

89. No one except for the application
runtime has access to the DEK
89

90. Use Tink for encryption in application side
90
import tink
daead.register()
keyset_handle = tink.KeysetHandle.read(
tink.JsonKeysetReader('{"encryptedKeyset":"Ci..g=",...}'),
gcpkms.GcpKmsClient('',gcp_credential_path)
.get_aead('gcp-kms://projects/…/kek'))
cipher = keyset_handle.primitive(daead.DeterministicAead)
ciphertext = cipher.encrypt_deterministically(b'plaintext', b'')
plaintext = cipher.decrypt_deterministically(ciphertext, b'')
Decrypt the wrapper
Wrapper
KEK URI
Create Cipher object
Encrypt / Decrypt using the DEK

91. On-demand encrypt in BigQuery
91
SET KMS_RESOURCE_NAME = 'gcp-kms://projects/aead-
poc/locations/us-central1/keyRings/poc-
keyring/cryptoKeys/kek';
SET WRAPPER =
FROM_BASE64("CiQA14LE......................brY9fZ3U=");
CREATE TABLE `aead-poc.app.users_encrypted` as
SELECT
DETERMINISTIC_ENCRYPT(
KEYS.KEYSET_CHAIN(KMS_RESOURCE_NAME, WRAPPER),
email, "") email
FROM `aead-poc.app.users`

92. 92
Application
BigQuery
GCS
PubSub Dataflow
Encryption in transit
Encryption at rest
Application layer
encryption
SSL
SSL
SSL
SSL
SSL
SSL
SSL

93. Deterministic VS Nondeterministic
93

94. Performance
94
100M
Records
64
Bytes
Plain text Decrypt first
Elapsed time Slot time Elapsed time Slot time
Substring + group by 14 sec 10 min 15 sec 18 min
Select distinct 21 sec 23 min 22 sec 35 min
~50-80%
Almost the same

95. Pricing
95
SET KMS_RESOURCE_NAME = 'gcp-kms://projects/aead-
poc/locations/us-central1/keyRings/poc-
keyring/cryptoKeys/kek';
SET WRAPPER =
FROM_BASE64("CiQA14LE......................brY9fZ3U=");
SELECT
DETERMINISTIC_DECRYPT_STRING(
KEYS.KEYSET_CHAIN(KMS_RESOURCE_NAME, WRAPPER),
email, "") decrypted_email
FROM `aead-poc.app.users_encrypted`

96. Pricing
96
Storage overhead
21 Bytes per encrypted field

97. Limitations
● Key per tenant - not supported
97
select
email,
DETERMINISTIC_DECRYPT_STRING(
KEYS.KEYSET_CHAIN(KMS_RESOURCE_NAME, tp.wrapper),
email, "") AS decrypted_email
FROM `aead-poc.app.users_encrypted`
JOIN `aead-poc.app.tenants_wrappers` tw
USING (tenant_id)

98. Keep it in mind
98

99. Follow me
runtibi@gmail.com
/rantibi
@rantb
99

100. Q & A
100

101. Thank You!
Questions?
To be continued…
https://www.linkedin.com/company/application-security-virtual-meetups